LWN: Comments on "LEDE v17.01.4 service release"

LEDE v17.01.4 service release

brunowolff — Thu, 02 Nov 2017 09:22:14 +0000

I finally updated the firmware on my router to LEDE (17.01.4) and tried using the wireguard feature and found it pretty easy. The plan is to have multiple tunnels with end points on the router and only allow packets to the tunnels that come from tunnels. So far I just have one laptop and a tunnel from work ending there. The idea is to not let guests get access to the work tunnel. It seems to work fine. I use two forward chain iptables rules to block the unwanted packets. (The laptops and work cannot directly connect to each other, so an always there end point is needed to allow them to communicate.)
I want to eventually use this to provide static IP addresses to my laptops no matter where they are located, but for now the design assumes they are on my home network.

LEDE v17.01.4 service release

xxiao — Sun, 22 Oct 2017 16:45:55 +0000

while LEDE reacts much faster than the vendors, LEDE still lacks a security team like what Debian has, so it is good, but still has rooms to improve.

LEDE v17.01.4 service release

xxiao — Sun, 22 Oct 2017 16:44:31 +0000

In fact Openwrt still have much more documents than what LEDE has now, so the documentation should be merged somehow too, at the moment, I still spend most of my time on openwrt's website instead of LEDE's.

LEDE v17.01.4 service release

ghane — Fri, 20 Oct 2017 13:51:49 +0000

> Anyone has any experience about an upgrade like that?

I went earlier this year from OpenWRT to Lede, on my TPLink 4900.

I used the squashfs "upgrade" option. Everything I could test was preserved (except add-on packages, like ddns, but the config data was preserved, so once I installed ddns, it came up correctly).

I spent lots of time looking for information, and finally did it blindly.

LEDE v17.01.4 service release

yaneti — Fri, 20 Oct 2017 13:49:14 +0000

I did a sysupgrade with lede 17.01.3 of two wndr3700v2's , one openwrt 15..something, the other 14...
Went without a hitch. Very pleasantly surprised..

LEDE v17.01.4 service release

linusw — Fri, 20 Oct 2017 13:37:51 +0000

To me the whole takeaway from this debacle is that it is paramount that vendors support installation of an unmodified OpenWRT/LEDE installation on the products.

Some users may prefer the vanilla user experience with the open router/NAS software but that is not really the point, the point is that it supports quick incident patching and aftermarket support. With the significant number of devices out there that have been declared "end of life" this is increasingly relevant, and these two projects importance is constantly underrated.

LEDE v17.01.4 service release

jospoortvliet — Fri, 20 Oct 2017 13:30:35 +0000

So with OpenWRT and LEDE talking about collaboration (seeing on the ML they're still far from truly merging back) I guess this could be considered an upgrade to OpenWRT 15.05.. Anyone has any experience about an upgrade like that?

'cuz looking from the activity in OpenWRT it seems, as often, the fork is the project that's actually alive. Yes, I know, look who's talking, I should've figured this out sooner ;-)

LEDE v17.01.4 service release

jmspeex — Fri, 20 Oct 2017 03:56:30 +0000

Oops, I meant to do a top-level reply -- my bad.

LEDE v17.01.4 service release

zx2c4 — Fri, 20 Oct 2017 03:54:22 +0000

The grandparent comment about WireGuard you've replied to isn't actually security-related, but I too am impressed by LEDE's general energy to move forward quickly with development, whether it's patching security bugs like you suggested or adding in new technologies like WireGuard like I suggested. It seems like the project is doing quite well.

LEDE v17.01.4 service release

jmspeex — Fri, 20 Oct 2017 03:51:13 +0000

I'm actually impressed at how quickly LEDE has been responding to the recent security issues -- both the dnsmasq one and now WPA. Many thanks to everyone involved -- your effort is highly appreciated.

LEDE v17.01.4 service release

rahvin — Fri, 20 Oct 2017 02:56:52 +0000

LEDE and OpenWRT are merging, but LEDE is becoming the new release, about the only thing coming over from OpenWRT are the website, trademarks and stuff, all the technical side, build infrastructure, etc is coming from the LEDE side. So I would expect LEDE to continue to release right up until they rename it OpenWRT.

LEDE v17.01.4 service release

zx2c4 — Thu, 19 Oct 2017 22:49:22 +0000

Importantly, we also managed to get WireGuard moved from openwrt/packages to lede/source, which means it's now part of the normal integration situation with LEDE, and we'll be able to keep it updated to the latest snapshots that way. If you're into WireGuard, you should be able to simply run:

# opkg install wireguard

Here's a little screencast of it in action inside qemu.

LEDE v17.01.4 service release

lambda — Thu, 19 Oct 2017 21:09:07 +0000

What ever happened to the unification of the LEDE project and OpenWrt? I thought that LEDE and OpenWrt were going to merge again, under the OpenWrt brand, but it looks like LEDE is still doing releases and OpenWrt is not. Was I mistaken, did the merge stall out or fall apart, or is it still ongoing and just slower than I expected?

LEDE v17.01.4 service release

timo_s — Thu, 19 Oct 2017 20:54:47 +0000

On a shell you can run:
~$ uci set wireless.@wifi-iface[0].wpa_disable_eapol_key_retries='1'
~$ uci set wireless.@wifi-iface[1].wpa_disable_eapol_key_retries='1'
~$ uci commit
~$ reboot
(assuming you have two radios, 2.4GHz and 5GHz, following at the default naming scheme wifi_iface[0] etc.)

You can also set this from the web interface. However, this only works if you updated all your luci* packages after you flashed 17.01.4. There was a bug in the released images that led to the option only being visible in the web interface under certain conditions. This has been resolved right after the release of 17.01.4, so you manually need to update your packages in order to get that fix. Then you can find the option in the Wireless Security tab of each of your wireless interfaces.

LEDE v17.01.4 service release

astian — Thu, 19 Oct 2017 18:30:10 +0000

Maybe they are referring to this hostap patch?

LEDE v17.01.4 service release

marcH — Thu, 19 Oct 2017 17:34:38 +0000

> As this workaround can cause interoperability issues and reduced robustness of key negotiation, this workaround is disabled by default.

Any idea how this can be enabled?

PS: I looked for a "donate" page but nothing yet :-(